Securing the Cloud Infrastructure

Securing the Cloud Infrastructure from Hypervisor to the Edge Gaweł Mikołajczyk gmikolaj@cisco.com Security Consulting Systems Engineer EMEA Central Core Team CCIE #24987, CISSP-ISSAP, CISA PLNOG8, March 5, 2012, Warsaw, Poland 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Policy Corporate Border Platform as a Service Applications and Data Infrastructure as a Service X as a Service Software as a Service Corporate Office Branch Office Home Office Airport Mobile User Attackers Partners Customers Coffee Shop Trzy wymiary : dla Infrastruktury w chmurze, dla dostępu do chmury, komercyjne usługi bezpieczeństwa w chmurze. 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Prywatny VPN MPLS lub IPSec / SSL NAS Edge Dostęp L2 lub L3 Agregacja Tenant per VRF Usługi Mapowanie VRF / VLAN do vfw/lb Dostęp Mapowanie do Compute VRF do unikalnego VLAN Tenant A WAN Data Center Core Tenant B Sub Tenant B1 i B2 NEXUS 1000v 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Physical Security V-Motion (Memory) V-Storage (DK) Role Based Access Virtualization Security Segmentation NIC #1 NIC #2 OS Hardening Hypervisor Security Patch Management Sprawl veth veth Real case: [...] It looks the O&M firewall is not filtering the ARP traffic the right way. This allows a to connect to any other through the O&M network after injecting malicious ARP traffic. This happens even if the destination belongs to a different tenant VDC [...] 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Warstwa dostępu wirtualnego powinna oferować przynajmniej takie same mechanizmy bezpieczeństwa Layer-2 jak w fizycznym DataCenter : Access Lists, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs, Layer-2 storm control, Rate-Limiters, VXLAN 1/ 7 Bez tych mechanizmów, konsekwencje ataków na infrastruktuę sieciową, (biorąc pod uwagę skalę - tysiące ) są katastrofalne. Widoczność w warstwie 2 można osiągnąć przez: NetFlow Collection SPAN, RSPAN or ERSPAN 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Port Profile > Port Group vcenter API port-profile vm180 vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Nexus 7000 vpc Peer-link Cat 6500 Service VLANs vpc VSL monitor session 1 type erspansource description N1k ERSPAN session 1 monitor session 3 type erspandestination description N1k ERSPAN to NAM Nexus 5000 ESX Server ASA 5585 NAM Nexus 1000V and VSG monitor session 2 type erspansource description N1k ERSPAN session 2 monitor session 4 type erspandestination description N1k ERSPAN to IDS1 10.20.20.50 10.20.20.51 10.20.30.101 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

1 Przekierowanie ruchu z do fizycznych urządzeń 2 Usługi bezpieczeństwa na poziomie hypervisora Web Server App Server Database Server Web Server App Server Database Server Hypervisor Hypervisor VLANs Konteksty wirtualne VSN VSN Appliance i moduły fizyczne Appliance wirtualne 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

N7k1-VDC1 Sandwich usługowy między VDC ASA Service Module ASA-SM 1 161 hsrp.1 Konteksty wirtualne Tryb Transparentny / mixed ACE LB ASA-SM 2 SVI-151 Tryb transparentny Web Application Firewall Farma firewalli Network IPS/IDS Inline lub promiscuous WAF IPS 190 ACE 162 N7k1-VDC2 vrf1 vrf2 163,164 SS1 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Virtual Network Management Center Cisco Nexus 1000V z mechanizmem vpath Rozproszony przełącznik Część hypervisora Virtual Security Gateway - VSG Port Group Host Cisco UCS Other x86 server Security Administrator Service Administrator 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

VNMC Nexus 1000V Distributed Virtual Switch 4 vpath Cache decyzji 3 VSG 1 1 Początkowy flow 2 Początkowa ewaluacja polityki Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

VNMC Nexus 1000V Distributed Virtual Switch vpath ACL offload do Nexus 1000V (wymuszenie polityki) VSG Pozostałe pakiety Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

VSG: Security Profile to Port Profile 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

TrustSec to rozwiązanie o charakterze systemowym Overlayowe tagowanie SGT na wejściu do sieci LAN/WAN/VPN Wymuszenie polityki bezpieczeństwa przez SGACL na wyjściu Centralnie przechowywane reguły SGT/SGACL dają spójność Ingress SGT SGT=100 Finance (SGT=4) 802.1X/MAB/Web Auth Pracownik, grupa HR HR SGT = 100 SGACL Egress HR (SGT=100) 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

TAG oparty o rolę: 1. Urządzenie uwierzytelnia się do sieci via 802.1X 2. ISE wysyła TAG jako wynik autoryzacji bazuje on na roli użytkownika/urządzenia 3. Przełącznik dostępowy aplikuje TAG do ruchu użytkownika 4. Dodatkowe pola w ramkach L2 Ethernet lub propagacja mapowania OOB przez protokół SXP 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Chmura prywatna / publiczna SPACELY SPROCKETS Web Server VSG ASA1000V ASA Appliance Pracownik Spacely Sprockets Central Office Database Server 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Internet Edge Network Foundation Protection Data Center Core SAN Data Center Distribution VDC Nexus 7018 Nexus 7018 v vpc vpc VSS Nexus 7000 Series vpc vpc Nexus 5000 Series Nexus 2100 Series vpc vpc vpc Unified Computing System Nexus 1000V vpc Catalyst 6500 ASA NAM ACE IPS SERVICES Virtual Service Nodes Zone 10Gig Server Rack Zone 10Gig Server Rack Multi-Zone Unified Compute Centralized Security and Application Service Modules and Appliances can be applied per zone Stateful Packet Filtering Network Intrusion Prevention Server Load Balancing Web and Email Security Access Edge Security ACL, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs, QoS Flow Based Traffic Analysis Network Analysis Module 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24